December 18, 2023 at 05:52AM
A new wave of QakBot malware phishing targeting the hospitality industry was discovered by Microsoft. The phishing campaign began on December 11, 2023, distributing a PDF with a URL leading to an MSI file. Cisco Talos had previously noted QakBot affiliates using phishing to distribute ransomware and other malware. The return of QakBot reflects the enduring threat posed by such botnets.
From the meeting notes, we can gather the following key points:
– A new wave of phishing messages distributing the QakBot malware has been observed targeting the hospitality industry.
– The phishing messages contain a PDF with a URL that downloads a digitally signed Windows Installer (.msi), leading to Qakbot being invoked using export ‘hvsi’ execution of an embedded DLL.
– Microsoft has described this as a low-volume campaign that began on December 11, 2023, and the payload was configured with the previously unseen version 0x500.
– QakBot, also known as QBot and Pinkslipbot, has historically been distributed via spam email messages containing malicious attachments or hyperlinks and is capable of harvesting sensitive information and delivering additional malware, including ransomware.
This information highlights the ongoing threat posed by QakBot and emphasizes the importance for organizations to remain vigilant and avoid falling victim to spam emails associated with QakBot campaigns.